A wireless mesh network is a meshed network that is implemented in a Wireless Local Area Network (WLAN), for example. In a mesh network, a mobile node can route data originating from a different mobile node to another mobile node or transmit it to a base station. A mesh network can span large distances, in particular in hilly or difficult terrain. Mesh networks also work more reliably because each mobile node is connected to several other nodes. If one node drops out, due to hardware failure for example, its neighbor nodes look for an alternative data transmission route. Mesh networks may involve fixed or mobile devices.
FIG. 1 shows a diagram of a mesh network according to the prior art. The nodes comprise dedicated mesh nodes (MN) that are part of the network infrastructure. These dedicated mesh nodes may be a fixed base station BS or also a mobile station MS. In addition to the dedicated mesh nodes, the mesh network also comprises mobile end-user devices, i.e. mobile user nodes. The mobile nodes can communicate directly with another mobile node and/or exchange data directly or indirectly via other nodes with a base station BS, which is connected to a gateway GW of a data network. In this system, data packets DP are routed dynamically from one device or node to the next device until the destination device or the gateway GW is reached. In this dynamic routing, the routes on which the data packets DP are transmitted are computed dynamically on the basis of node availability and according to the network usage. The general characteristics of mesh networks are high network coverage, high reliability and economical use of available resources. In wireless mesh networks, the wireless transmission link is conventionally implemented by a WLAN (Wireless Local Area Network). Unlike a Wireless Personal Area Network (WPAN), WLAN networks have higher transmit powers and ranges and provide higher data transmission rates.
The Extensible Authentication Protocol, or EAP as it is known, which is known for instance from IEEE 802.X-2004: “IEEE standard for local and metropolitan area networks—Port-based network access control”, ISBN 0-7381-4528-8, Dec. 13, 2004, page 37-40, is used for authentication of nodes or computers. FIG. 2 shows a signal diagram illustrating an authentication procedure in a conventional WLAN network. The EAP protocol is employed in the WLAN to protect access to the network. Various actual authentication procedures, or EAP methods as they are called, can be carried via the EAP protocol e.g. EAP-TLS, EAP-AKA, PEAP-MSChapv2. In the authentication process, a cryptographic key or session key MSK, EMSK (MSK: Master Session Key; EMSK: Extended Master Session Key) is determined, which is subsequently used to protect data communication, for example in link layer encryption. Authentication of a node is performed between the node (supplicant) and an authentication server (AAA server). On successful authentication, the authentication server sends the result of the authentication and the session key MSK originating in the authentication process to the authenticator, for example a WLAN access point AP. Communication between the access node, also referred to as the access point AP, and the authentication server is normally made via the radius or diameter data transmission protocol. In this protocol, the session key MSK is sent as a data attribute to the access point AP as part of an EAP success message. The session key MSK being transmitted is then used over a 802.11 four-way handshake 4WHS as defined in the IEEE 802.11 standard between the node and the access point.
In a conventional network, the access point AP is a trustworthy node, i.e. a node belonging to the network infrastructure. The access point in a conventional network is therefore not an end-user node.
FIG. 3 shows the authentication of two nodes MP-A, MP-B in a conventional WLAN network. The two nodes MP-A, MP-B may be two mesh points of a mesh network, for example. In order to set up a data link between the two nodes MP-A, MP-B, first the end node MP-A (as supplicant) authenticates itself with the associated authentication server AS using the EAP data transmission protocol. The node MP-B (authenticator) receives in an EAP success message a session key MSK1. Then the node MP-B performs a four-way handshake with the node MP-A, using the received session key MSK1 in the process. Then the node MP-B (now as supplicant) performs an authentication at the associated authentication server AS, and MP-A (now authenticator) receives a second session key MSK2 in an EAP success message. The node MP-A then performs a four-way handshake with the node MP-B using the second session key MSK2. The two authentications can also be interleaved instead of being performed successively.
Any further communication between the two nodes MP-A, MP-B can be protected by one of the two session keys MSK1, MSK2.
One disadvantage with the procedure shown in FIG. 3 according to the prior art is that both nodes MP-A and MP-B need a link to the authentication server AS, and this is required both in the supplicant role and in the authenticator role. When a new node sets up the first link to a neighbor node, it subsequently still has no connection to an infrastructure network and hence also no link to an authentication server AS. In addition, the authentication server AS must perform two authentications, which increases the load on it.
IEEE 802.11i-2004: “IEEE standard for local and metropolitan area networks—Wireless LAN Medium Access Control—Security Enhancements”, ISBN 0-7381-4073-2, Jul. 23, 2004, page 13-15, 19-20, discloses improving the EAP authentication method for the IEEE 802.11 standard.
A WLAN mesh network is known for instance from “Faccin, S. M., among others: Mesh WLAN networks: concept and system design”. Wireless Communications, IEEE. Volume 13, Issue 2, April 2006, pages 10-17, with the network elements mutually authenticating one another.
Jyh-Cheng, C, discloses among others in: “Wireless LAN security and IEEE 802.11i.” Wireless Communications, IEEE, Volume 12, Issue 1, February 2005, pages 27-36, an expansion of the authentication method known from IEEE 802.11, while in Fan, Y., among others: “An improved security scheme in WMAN based on IEEE standard 802.16.” Proceedings, International Conference on Wireless Communications, Networking and Mobile computing, Volume 2, 23-26, September 2005, pages 1191-1194, an expansion of the authentication method known from IEEE 802.16 is described.
US 2005/01 52 305 A1 discloses an authentication method in a WLAN network using an EAP proxy.